1 |
Christian Hoffmann wrote: |
2 |
> Heya, |
3 |
> |
4 |
> I'm going to p.mask =dev-lang/php-4* and all packages explicitly |
5 |
> depending on this version of php (i.e. the whole dev-php4/ category |
6 |
> (36 packages) and one webapp, www-apps/knowledgetree, bug 194894 [1]) |
7 |
> next weekend (around Oct 14th). This step is necessary as there is |
8 |
> hardly any upstream activity anymore. |
9 |
> |
10 |
> The last official version of php-4, 4.4.7, dates back to May 3rd and is |
11 |
> in the same state as php-5.2.2 security-wise (and we all know how many |
12 |
> issues php-5 had in the past, just have a look at the recently published |
13 |
> GLSA 200710-02 [2]). |
14 |
> |
15 |
> All those security problems, which were fixed in the 5.2 branch, |
16 |
> possibly apply to the 4.4 branch as well, yet there are no (backported) |
17 |
> fixes in upstream CVS and there is no sign of an upcoming release |
18 |
> either. |
19 |
> This means, if we were to continue php-4 support we would have to do |
20 |
> the upstream work and compile a list of issues + patches. Upstream |
21 |
> developers seem to see it the same way -- "if you really want to get it |
22 |
> done - do it" was one reply when I asked what's up with php-4. Noone |
23 |
> from our PHP team has the time and motiviation to do that work, and as |
24 |
> such we are going to mask it (unless someone volunteers to do the work |
25 |
> and/or upstream becomes active again). |
26 |
> |
27 |
> We will still keep php-4 (and all related packages) in the tree until at |
28 |
> least the end of the year (this is the date where official upstream |
29 |
> "support" ends) and bump it if (and not "when"...) there are any |
30 |
> releases. |
31 |
> |
32 |
> We advise all users of of php-4 to upgrade to php-5 as soon as possible. |
33 |
> |
34 |
> [1] https://bugs.gentoo.org/show_bug.cgi?id=194894 |
35 |
> [2] http://www.gentoo.org/security/en/glsa/glsa-200710-02.xml |
36 |
|
37 |
Since you're doing the masking, can you please help out the GDP by |
38 |
reviewing a few of our documents for any potential changes that must be |
39 |
made? Grepping for "php4" shows that there are references in the |
40 |
following docs: |
41 |
|
42 |
1. http://www.gentoo.org/doc/en/jffnms.xml |
43 |
2. http://www.gentoo.org/doc/en/apache-troubleshooting.xml |
44 |
3. http://www.gentoo.org/doc/en/qmail-howto.xml |
45 |
4. http://www.gentoo.org/doc/en/handbook/hb-working-rcscripts.xml |
46 |
|
47 |
|
48 |
Thanks, |
49 |
|
50 |
Josh |